Apache Reverse Proxy setting for site having Spring Security
I've been struggling with this same problem for a few days and I might have cracked it. I'm new to Spring Security so don't take this as gospel! Others might object... I'm using Apache 2.4 (on OS X) and Spring Security 4.1.1.
Everything ran perfectly well running locally, but whenever it was deployed to run behind a reverse proxy I got 404 errors every time I logged in. After much head scratching and Googling, here's what I found:
(As I don't have enough reputation points to post more that 2 links I've had to use a space after 'http://' for the URLs!)
Suppose Apache and Tomcat are running on the same host (localhost) with Apache configured to proxy requests from www.example.com to our web app deployed under the context path '/webapp'
ProxyPass / http://localhost:8080/webapp/
ProxyPassReverse / http://localhost:8080/webapp/
-
External client requests protected URL: http:// www.example.com/secret
GET /secret HTTP/1.1
Apache proxies this to http:// localhost:8080/webapp/secret
-
One of Spring's security filters intervenes and responds with a redirect to /login
HTTP/1.1 302 Found Location: http://www.example.com/login
-
Browser fetches URL
GET /login HTTP/1.1
Apache proxies this to http:// localhost:8080/webapp/login
-
Spring responds with its default login page
HTTP/1.1 200 OK
-
The interesting thing to note at this point is that the login form generated by Spring prefixes the forms action element with the context path (i.e. action="/webapp/login"). When you then click the submit button, a POST is performed to the URL /webapp/login
POST /webapp/login HTTP/1.1
We now have a problem. When Apache proxies this to the backend server, the resulting URL will be http:// localhost/webapp/webapp/login. You can see this in the catalina.out log showing there is no handler that can handle the request as the context path is now appearing twice in the URL.
The problem here is that the ProxyPass and ProxyReversePass directives (mod_proxy module) only modifies the HTTP Location header, the URL is left untouched. What is needed is to strip the context path from the URL before it reaches the proxy which will add it back on. Apache's RewriteRule seems to do the trick:
RewriteRule /webapp/(.*)$ http://localhost:8080/webapp/$1 [P]
Although this solved the 404 errors and I could see Apache was now proxying to the correct URL, I was constantly getting the login page re-displayed every time I logged in. This next bit of config seems to resolve this:
ProxyPassReverseCookieDomain localhost www.example.com
ProxyPassReverseCookiePath /webapp/ /
I believe this may be because the proxying was causing the domain and path in the cookie to be set incorrectly, but I have to read up some more about that!
I hope this helps someone else out there, and people with more expertise than me in this area can comment on whether this is a fair solution...
Related videos on Youtube
AAgg
Being an Embedded Developer for 10 yrs, now learning Web Development and associated technologies... Started with Java Spring, Hibernate, JPA, Postgre, Tomcat/Apache, JSP, Javascript, jQuery, Solr ... Thankful to Open Source Software for making such great products and SO for supporting developer community !!!
Updated on September 18, 2022Comments
-
AAgg over 1 year
I am having a Spring MVC app which uses Spring Security for login. I am using Apache Webserver as Proxy and Tomcat. Below is my /etc/apache2/sites-enabled/example.com.conf file:
ServerAdmin [email protected] ServerName example.com ServerAlias www.example.com DocumentRoot /var/www/example.com/public_html ProxyPreserveHost On ProxyRequests off ProxyPass /myapp/j_spring_security_check http://XX.YY.ZZ.WW:8080/myapp/j_spring_security_check ProxyPassReverse /myapp/j_spring_security_check http://XX.YY.ZZ.WW:8080/myapp/j_spring_security_check ProxyPass /myapp http://XX.YY.ZZ.WW:8080/myapp ProxyPassReverse /myapp http://XX.YY.ZZ.WW:8080/myapp
My problem is now I have to access my site as:
www.example.com/myapp
where as I want to access it as
www.example.com
I tried playing with it but then the login didn't work properly. How should I set the ProxyPass & ProxyPassReverse for this?
-
AAgg about 9 yearsI have tried tried this already, it doesn't work. Nothing gets displayed on the browser. Are you also using Spring Security? That could be the differentiator here.
-
raverone over 5 yearsJust a little add to Paul's answer: don't forget to add
RewriteEngine on
in<VirtualHost>
section -
Medioman92 over 4 yearshad a similar problem and IMHO this should be the accepted answer